Re: harden distribution

To: <debian-devel@lists.debian.org>, David Spreen <david@spreen.de>
Subject: Re: harden distribution
From: Steve Langasek <vorlon@netexpress.net>
Date: Thu, 28 Jun 2001 14:16:46 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.30.0106281356380.3272-100000@tennyson.netexpress.net>
In-reply-to: <[🔎] OF5F22108E.C1EC8C42-ON86256A79.00639A98@norlight.com>

On Thu, 28 Jun 2001, Vince Mulhollon wrote:

> On 06/28/2001 11:59:27 AM David Spreen wrote:

> >> On Thu, Jun 28, 2001 at 12:29:16PM -0500, Vince Mulhollon wrote:
> >> > So, you want "someone else" to reoption every package, and then
> recompile
> >> > each package, and provide the infrastructure for everyone to download
> it,
> >> > but you don't want to put forth the effort to subscribe to dd and wade
> thru
> >> > the sewer with the rest of us?  I think that is the problem.
> >>
> >> No, I want to work on this port. Yes, I intend to start something like
> this,

> Then do it.  Start compiling packages with every hardened trick and patch
> that exists, and upload them.

David speaks of Stackguard here.  A stackguard system depends on using a
specially-patched gcc which is out of sync with the upstream gcc.  Building a
Stackguarded Debian system will require either adding this compiler to the
builddeps, or adding it to build-essential.  Does either of these methods
belong in the main Debian port to a given architecture?  If not, where will
you upload the packages to, since there's no i386-sg port currently in the
archive?

Some software will probably not compile correctly out-of-the-box with the
stackguard compiler, due to bugs or incompatibilites.  This means porting
work.  I'm also not sure if there's even a stackguard g++ available (I'd be
interested to know).

> Again, I think it's a worthwhile goal, but it requires a huge commitment of
> time.

Quite so.  *All* software on a stackguard system has to be compiled using the
stackguard compiler if the system is to achieve its goal.  We ran the original
StackGuard distro on a shell account box here.  We recompiled two packages
using regular gcc, because there were newer upstream versions w/ features we
needed and the packages didn't build under stackguard.  A vulnerability showed
up later in one of those packages; the vulnerability was exploited (because
the machine had such a different library environment from our other boxes, we
were ineffective in applying timely updates to this machine), and we had to
rebuild the box.  It wasn't worth StackGuarding it the second time around; it
runs Debian now, and gets its regular dose of security patches to keep it
healthy.

Also, StackGuard only protects against buffer overflows, and these are not the
only kinds of security fixes Debian releases.  Will Dave (and others, I hope!)
be able to keep up with the workload of porting all software to use
stackguard, *as well as* providing timely security fixes for these other
issues?  If so, I commend them and look forward to using this hardened port
some day.  If not, I fear that doing this partway is worse than not doing it
at all, because it will give users a false sense of security about the OS.

Steve Langasek
postmodern programmer

Reply to:

References:
- Re: harden distribution
  - From: "Vince Mulhollon" <vlm@norlight.com>

Prev by Date: Re: Linuxtag CD does not boot
Next by Date: Re: update_excuses
Previous by thread: Re: harden distribution
Next by thread: Re: harden distribution
Index(es):
- Date
- Thread